ACE20 gre problem

Similar Messages

• ACE20 and TLSv1.0 extensions problem

  Hi,
  I have a problem with an ACE20 running software version A2(2.3) [build 3.0(0)A2(2.3)].
  We have a simple load-balancing arrangement for two Apache webservers. All we do is pass HTTP and HTTPS traffic through to one of two servers. we don't do SSL termination or initiation on the ACE - just passthrough.
  We now have a requirement to support connections that only use TLSv1.0 with no fallback to SSLv3. If I use IE8 the connection works. If I use IE9 or FF19 then the connection fails. I've traced this to the use of TLS extensions in the ClientHello packet - which came after the TLSv1.0 RFC. IE8 doesn't send extensions whereas the other browsers do.  I can replicate the problem with the OpenSSL s_client application. What surprises me is that the ACE checks the structure of the TLS negotiation even though I'm not asking it to make decisions about it. I can see why this would be done as a security feature if the ACE implemented a strict RFC2246-compliant server - the extensions having bee added post-RFC.
  Is there any way to tell the ACE to forward SSL packets and not worry too much about the contents? I've checked all the Release notes and can't find any relevant caveats.
  Thank you
  Cathy

  Hi Ajay,
  Disabling normalization made no difference. I thought it might help, but I think it only looks at the gross structure of the packets and doesn't worry about RFC2246 compliance.
  The relevant parts of the configuration are shown below:
  rserver host web-web1
    ip address a.b.c.d
    inservice
  rserver host web-web2
    ip address a.b.c.e
    inservice
  serverfarm host FARM-web2
    rserver web-web1
      inservice
    rserver web-web2
      inservice
  sticky ip-netmask 255.255.255.255 address source FARM-web2-Sticky
    timeout 99
    replicate sticky
    serverfarm FARM-web2 backup FARM-sorry
  class-map match-any L4VIPCLASS
    2 match virtual-address x.y.z.t tcp eq www
    3 match virtual-address x.y.z.t tcp eq https
    6 match virtual-address x.y.z.t tcp eq 81
  policy-map type loadbalance first-match LB-POLICY
    class class-default
      sticky-serverfarm FARM-web2-Sticky
  policy-map multi-match L4POLICY
    class L4VIPCLASS
      loadbalance vip inservice
      loadbalance policy LB-POLICY
      loadbalance vip icmp-reply active
      loadbalance vip advertise
  service-policy input L4POLICY
  As you see, the configuration is about as simple as it can be.
  Kind Regards
  Cathy

• Problem with a simple GRE tunnel

  Hello everyone:
  I have a problem with a simple GRE tunnel, and can not make it work, the problem lies in the instruction "tunnel source loopback-0" if I use this command does not work, now if I use "tunnel source <ip wan >" if it works, someone can tell me why?
  Thanks for your help
  Router 1: 2811
  version 12.4
  no service password-encryption
  hostname cisco2811
  no aaa new-model
  ip cef
  interface Loopback0
  ip address 2.2.2.2 255.255.255.255
  interface Tunnel0
  ip address 10.10.1.1 255.255.255.0
  tunnel source Loopback0
  tunnel destination 217.127.XXX.188
  interface Tunnel1
  ip address 10.10.2.1 255.255.255.0
  tunnel source Loopback0
  tunnel destination 80.32.XXX.125
  interface FastEthernet0/0
  description LOCAL LAN Interface
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1
  description WAN Interface
  ip address 195.77.XXX.70 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 195.77.XXX.65
  ip route 192.168.3.0 255.255.255.0 Tunnel0
  ip route 192.168.4.0 255.255.255.0 Tunnel1
  ip nat inside source route-map salida-fibra interface FastEthernet0/1 overload
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
  access-list 120 permit ip 192.168.1.0 0.0.0.255 any
  route-map salida-fibra permit 10
  match ip address 120
  Router 2: 2811
  version 12.4
  service password-encryption
  ip cef
  no ip domain lookup
  multilink bundle-name authenticated
  username admin privilege 15 password 7 104CXXXXx13
  interface Loopback0
  ip address 4.4.4.4 255.255.255.255
  interface Tunnel0
  ip address 10.10.1.2 255.255.255.0
  tunnel source Loopback0
  tunnel destination 195.77.XXX.70
  interface Ethernet0
  ip address 192.168.3.251 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  hold-queue 100 out
  interface ATM0
  no ip address
  no ip route-cache cef
  no ip route-cache
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  ip address 217.127.XXX.188 255.255.255.192
  ip nat outside
  ip virtual-reassembly
  no ip route-cache
  no snmp trap link-status
  pvc 8/32
  encapsulation aal5snap
  ip route 0.0.0.0 0.0.0.0 ATM0.1
  ip route 192.168.1.0 255.255.255.0 Tunnel0
  ip nat inside source route-map nonat interface ATM0.1 overload
  access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 permit ip 192.168.3.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 120

  Hello, thank you for the answer, as to your question, I have no connectivity within the tunnel, whether from Router 1, I ping 10.10.1.2 not get response ...
  Now both routers remove the loopback, and the interface tunnel 0 change the tunnel source to "tunnel source " tunnel works perfectly, the problem is when I have to use the loopback. Unfortunately achieved when the tunnel work, this will have to endure multicast, and all the examples found carrying a loopback as' source '... but this is a step back ..
  Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.10.1.1/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 2.2.2.2 (Loopback0), destination 217.127.XXX.188
  Tunnel protocol/transport GRE/IP
  Key disabled, sequencing disabled
  Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 09:04:38, output 00:00:19, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  0 packets input, 0 bytes, 0 no buffer
  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  11101 packets output, 773420 bytes, 0 underruns
  0 output errors, 0 collisions, 0 interface resets
  0 unknown protocol drops
  0 output buffer failures, 0 output buffers swapped out

• WRT160N v2 VPN Problem ( GRE Protocol )

  Hi,
  I just owned a WRT160N router. But this router does not allow GRE protocol. I use a VPN server on my local network and I only need PPTP ( made NAT 1723 TCP ) and GRE Protokol 47 ( cant find anything about this ) to be routed to my VPN server. 1723 works ok but not GRE.
  I checked all settings on Security / VPN Passthrough but the problem persists. Does anybody have solution for this? My firmware is Firmware Version: v2.0.02

  I am afraid the router does not support GRE Protocol...

• 6500 sup 720 with MPLS, GRE and FWSM problem

  We have 6500 sup 720 with MPLS configured and FWSM in transparent  mode. We also terminate GRE tunnels on the same 6500.
  After implementing the command “mls mpls tunnel-recir” GRE tunnels are hardware switched (which we want them to be), but we don’t have any more connection from locations thru GRE tunnels to servers behind FWSM.
  Does anybody have idea how to solve this problem?

  Hi,
  not sure what you mean exactly.
  the command “mls mpls tunnel-recir” is needed to avoid packets corruption in cases where the Supervisor engine is handling both the GRE header encapsulation and the MPLS label stack imposition. Since it cannot do it in one single shot (without causing random corruption) recirculation is needed. Nevertheless its presence does not influence whether the GRE traffic is handled in hardware or in software. Even without it, IF THE GRE TUNNELS ARE CORRECTLY CONFIGURED (meaning that each GRE tunnels has its unique source address etc.), the traffic is handled in hardware.
  However since you say that after you enabled it you don't have connectivty anymore I suppose that some issue related to recirculation is happening (i.e. traffic ends up in the wrong internal vlan after recirculation).
  Unfortunately the support forum is not meant to help in this case as in-depth troubleshooting is required. For that you need a TAC case.
  regards,
  Riccardo

• Windows Replication RPC Problems with IPSec GRE Tunnel

  We have been having significant issue in troubleshooting random RPC errors with our directory controllers (MS AD 2008R2) and our distributed file shares.  Both services will randomly stop working, throwing RPC errors as the resulting cause.  We have been all over both Cisco and Microsoft forums in trying to troubleshoot this problem.  I'm trying to the Cisco forums first to see if anyone has any network layer thoughts as to best practices or ways to configure the tunnel.
  Our network is simple: two small branch offices connected to each other with two Cisco 2901 ISRs.  An IPSec GRE tunnel exists between both offices.  Interoffice bandwidth is approximately 10mbps.  Pings between offices work, remote desktop works most of the time, file transfers work, and DNS lookups work across both locations.  We really don't have a complicated environment, I'd think it wouldn't be too hard to set up.  But this just seems to be escaping me.  I can't think of anything at the network layer that would be causing problems but I was curious whether anyone else out there with knowledge of small office VPNs might be able to render some thoughts on the matter.
  Please let me know if there is anything further people need to see.  My next step is MS forums but I wanted to eliminate layer 3 first.
  Tunnel Config:
  crypto map outside_crypto 10 ipsec-isakmp
  set peer x.x.x.x
  set transform-set ESP-AES-SHA
  match address 102
  crypto ipsec df-bit clear
  interface Tunnel0
  bandwidth 10240
  ip address x.x.x.x x.x.x.x
  no ip redirects
  ip mtu 1420
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1375
  tunnel source GigabitEthernet0/0
  tunnel destination x.x.x.x
  crypto ipsec df-bit clear
  end

  Hi,
  Based on the third-party article below, you can setup VPN connection between Windows VPN client and Cisco firewall:
  Step By Step Guide To Setup Windows 7/Vista VPN Client to Remote Access Cisco ASA5500 Firewall
  What is the Windows server 2008 R2 for, a RADIUS server? If yes, maybe the links below would be helpful to you:
  RADIUS: Configuring Client VPN with Windows 2008 Network Policy Server (NPS) RADIUS Authentication
  Configuring RADIUS Server on Windows 2008 R2 for Cisco Device Logins
  RADIUS authentication for Cisco switches using w2k8R2 NPS
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best regards,
  Susie

• Can I use a GRE tunnel to solve my problem?

  Please see the attached file for a topology of the relevant portions of this network.
  All but three of the APs at Building B are plugged into Cisco 3650 switches that are also acting as the WLCs.  This allows for local switching of WiFi client traffic.  The WiFi clients are tagged with VLAN 20 and the PCs at Building B are tagged with VLAN 10.  Inter-VLAN routing occurs at the 3560 in Building B.  This is important so that iPads on the WiFi network are switched locally with the PCs in the classroom. I then turn on the mDNS feature on the 3650/WLC so that we can use our PCs as "Apple TVs" via a program called Air Server.  This allows the teacher to project the iPad onto the PC, which is then projected to the SMART Board.
  My problem is with the 3 classrooms whose APs plug into a 2960-PS.  These APs are managed by the dedicated WLC-5760 located at Building A.  This means that the teacher PC is using the 3560 in Building B as the default gateway while the wireless traffic is being handled by the 3750 in Building A.  The last time I checked, the WLC 5700 series controllers did not have Flex Connect as a feature.  
  Here's my question:  Is there any type of IP tunneling solution I could use to tunnel a particular client or VLAN so that it can be routed at Building A?  I've only played with tunneling from an IPv4/IPv6 standpoint.  Thank you for your time!

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  You're correct, you cannot extend L2 across L3 unless you use some kind of encapsulation technology, for example, the already mentioned L2TPv3 or pseudo-wire over MPLS, etc.
  However, what I have in mind for extending a VLAN means converting a routed p2p link to a L2 trunk link (I'm assuming the equipment, e.g. L3 switches, can support this). Across the trunk, you can extend your VLAN(s).  For the routers, you can dedicate a new VLAN, across just the trunk, that takes the place of the former p2p.  I.e. so you can do both L2 and L3 across the same physical link.
  [edit]
  I didn't see Jon's post until after I posted above, but he's explaining, in more detail, what I had in mind.

• Bookmark restore problem: " A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. script: resource://gre/modules/PlacesUtils.jsm:1436"

  I'm trying to restore bookmarks from a .json file (as xmarks keeps duplicating and corrupting my list) and Firefox often works really slowly also. I know this as I ususally get a script message errors and option to continue or stop.. In this case with restoring bookmarks everytime I try to restore with my saved .json file I get an interruption, and the message " A script on this page may be busy, or it may have stopped responding. You can stop the script now, or you can continue to see if the script will complete. script: resource://gre/modules/PlacesUtils.jsm:1436" i stop the script (if i continue the same warning comes up) and then get half of my bookmarks restored or similar only if that, and another message telling me FF is unable to process the bookmarks!? I think this unresponsive script is the one that randomly comes up when I'm working FF hard, and causes it to run slowly- or it is a very similar looking message. Any comments and ideas appreciated .
  Running on Macbook pro 2GHz Intel Core 2Duo, 2Gb 667 Mhz DDR2 OS 10.6.8

  One other thing....the same script error on Ubuntu Linux 11.10 on my old Dell. And it seems that the backup I thought I had made probably was saved incorrectly, again only half of the bookmarks I had sorted out were created in the file- i should have exported a copy as another safeguard!

• ASA 5505 + ASA 5540 static VPN, ssh and rdp problems

  Greetings!
  I've recentely set up a VPN between Cisco ASA 5540(8.4) ana 5505(8.3).
  Everything works fine, but there is a small problem that is really annoying me.
  From the inside network behind ASA 5505 I connect via rdp or ssh to a host inside ASA 5540.
  Then I minimize ssh and rdp windows and don't use it for ten minutes. But I still use VPN for downloading some files.
  Then I open ssh window - the session is inactive, open rdp window - I see a black screen (for 10-15 seconds, and then it shows RDP)
  There are no timeouts on ssh or rdp hosts configured, via GRE tunnel it works perfectly without any hangs.
  What can I do to get rid of this problem?
  Thanks in advance.

  Dear Fedor,
  You could try adding the following commands to your configuration (on both ASAs) in order to increase the timeout values of the specific TCP sessions:
  access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 22
  access-l rdp_ssh permit tcp 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0 eq 3389
  class-map TCP_TIMEOUT
        match access-list rdp_ssh
  policy-map global_policy
       class TCP_TIMEOUT
            set connection timeout idle 0:30:00
            set connection timeout half 0:30:00
  * Please make sure you define the specific RDP and SSH ports in the ACL and avoid the use of "permit ip any any".
  Let me know.
  Portu.
  Please rate any post you find useful.

• Dynamin VPN/GRE can't ping other side of tunnel

  I am new at this VPN stuff and tryiong to setup a GRE Dynamic IP VPN between my offfice and home.  Here is what I ahve done thus far:
  OFFICE
  interface Tunnel0
  ip address 172.30.1.1 255.255.255.252
  no ip redirects
  ip mtu 1400
  ip nhrp map multicast dynamic
  ip nhrp network-id 1
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 1
  interface FastEthernet0/0
  ip address 40.197.68.9 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  HOME
  interface Tunnel0
  ip address 172.30.1.2 255.255.255.252
  ip mtu 1400
  ip nhrp map multicast 40.197.68.9
  ip nhrp map 172.30.1.1 40.197.68.9
  ip nhrp network-id 1
  ip nhrp nhs 172.30.1.1
  ip tcp adjust-mss 1360
  tunnel source GigabitEthernet0/0
  tunnel destination 40.197.68.9
  tunnel key 1
  interface GigabitEthernet0/0
  description Router
  ip address 192.168.30.1 255.255.255.252
  duplex auto
  speed auto
  When I ping 172.30.1.1 from the HOME router, I get 0/5 success.  Not good!  I have not setup any IPSec yet.
  Results for HOME router
  show ip nhrp nhs detail
  Legend: E=Expecting replies, R=Responding, W=Waiting
  Tunnel0:
  172.30.1.1   E priority = 0 cluster = 0  req-sent 53  req-failed 0  repl-recv 0
  sh int t0
  Tunnel0 is up, line protocol is up
    Hardware is Tunnel
    Internet address is 172.30.1.2/30
    MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 192.168.30.1 (GigabitEthernet0/0), destination 40.197.68.9
     Tunnel Subblocks:
        src-track:
           Tunnel0 source tracking subblock associated with GigabitEthernet0/0
            Set of tunnels with source GigabitEthernet0/0, 1 member (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key 0x1, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1472 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 00:40:28, output 00:00:25, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       106 packets output, 12612 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  sh ip route
  Gateway of last resort is 192.168.30.2 to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 192.168.30.2
        10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
  C        10.110.0.0/24 is directly connected, GigabitEthernet0/1.110
  L        10.110.0.1/32 is directly connected, GigabitEthernet0/1.110
  C        10.115.0.0/24 is directly connected, GigabitEthernet0/1.115
  L        10.115.0.1/32 is directly connected, GigabitEthernet0/1.115
        172.16.0.0/30 is subnetted, 1 subnets
  S        172.16.2.0 [1/0] via 192.168.30.6
        172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.30.1.0/30 is directly connected, Tunnel0
  L        172.30.1.2/32 is directly connected, Tunnel0
  S     192.168.2.0/24 is directly connected, GigabitEthernet0/0
  S     192.168.10.0/24 is directly connected, GigabitEthernet0/0
        192.168.30.0/24 is variably subnetted, 4 subnets, 2 masks
  C        192.168.30.0/30 is directly connected, GigabitEthernet0/0
  L        192.168.30.1/32 is directly connected, GigabitEthernet0/0
  C        192.168.30.4/30 is directly connected, GigabitEthernet0/1.30
  L        192.168.30.5/32 is directly connected, GigabitEthernet0/1.30
  S     192.168.50.0/24 [1/0] via 192.168.30.6
        192.168.69.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.69.0/24 is directly connected, GigabitEthernet0/1.69
  L        192.168.69.3/32 is directly connected, GigabitEthernet0/1.69
  S     192.168.100.0/24 [1/0] via 192.168.30.6
  S     192.168.125.0/24 [1/0] via 192.168.30.6
  S     192.168.200.0/24 [1/0] via 192.168.30.6
  sh dmvpn
  Interface: Tunnel0, IPv4 NHRP Details
  Type:Spoke, NHRP Peers:1,
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
       1    50.197.68.90      172.30.1.1  NHRP 02:30:17     S
  Results for OFFICE router
  show ip nhrp nhs detail
  sh dmvpn
  sh int t0
  Tunnel0 is up, line protocol is up
    Hardware is Tunnel
    Internet address is 172.30.1.1/30
    MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 40.197.68.9 (FastEthernet0/0)
     Tunnel Subblocks:
        src-track:
           Tunnel0 source tracking subblock associated with FastEthernet0/0
            Set of tunnels with source FastEthernet0/0, 1 member (includes iterators), on interface <OK>
    Tunnel protocol/transport multi-GRE/IP
      Key 0x1, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1472 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 00:43:56, output never, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       0 packets input, 0 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       0 packets output, 0 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  show ip route
  S*    0.0.0.0/0 [1/0] via 40.197.68.94
        40.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        40.197.68.8/29 is directly connected, FastEthernet0/0
  L        40.197.68.9/32 is directly connected, FastEthernet0/0
        172.30.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.30.1.0/30 is directly connected, Tunnel0
  L        172.30.1.1/32 is directly connected, Tunnel0
  S     192.168.2.0/24 [1/0] via 192.168.10.5
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.1/32 is directly connected, FastEthernet0/1
  S     192.168.69.0/24 is directly connected, FastEthernet0/0
  Why can't Io ping from the HOME router to the OFFICE router?

  I fugured this problem out.  I needed to setup PKI/IKE and once that was done on both routers, my tunned now passes some data.

• VPN passthru problem

  I have on Win 2003 server install VPN server.
  When I tryed connect i get following error in server's Event log:
  A connection between the VPN server and the VPN client [MYPUBLICIP] has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.
  For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
  How I can configure ruter in my case?

  I use PPTP VPN protocol.
  This means that I must forward following ports:
  TCP 1723
  IP Protocol ID of 47 (0x2F). => This filter allows PPTP tunneled data to the PPTP server
  How can I forward IP protocol?

• Generic GRE not working (ver 4.1.3.55)

  Hi everybody.
  I'm testing in Lab a configuration for one customer.
  It's a basic environment with :
  DATA CENTER (wccp)
  1 WAEs 7341 and 1 Cat6506 routers
  BRANCH (inline)
  1 WAE 574.
  Optimization works with l2-redirect and gre return in DATA CENTER !!
  It does not work with egress-method generic-gre inteception-method wccp.
  This is the problem that i can see with " show wccp gre" on the 7341..
  " Packets received on a disabled service: 667790".
  I read some manuals but...
  I don't understand .. The service 61 and 62 works !!
  So any idea ?
  Thanks a lot to everybody
  Vittorio

  Hy and thanks to be interested.
  That's the output you ask :
  WAE-DC-01#sh egress-methods
  Intercept method : WCCP
  TCP Promiscuous 61 :
  WCCP negotiated return method : WCCP GRE
  Egress Method Egress Method
  Destination Configured Used
  any Generic GRE Generic GRE
  TCP Promiscuous 62 :
  WCCP negotiated return method : WCCP GRE
  Egress Method Egress Method
  Destination Configured Used
  any Generic GRE Generic GRE
  Intercept method : Generic L2
  Egress Method Egress Method
  Destination Configured Used
  any not configurable IP Forwarding
  And here there is another useful :
  WAE-DC-01#sh wccp gre
  Transparent GRE packets received: 52082
  Transparent non-GRE packets received: 0
  Transparent non-GRE non-WCCP packets received: 0
  Total packets accepted: 0
  Invalid packets received: 0
  Packets received with invalid service: 0
  Packets received on a disabled service: 50118
  Packets received too small: 1964
  Packets dropped due to zero TTL: 0
  Packets dropped due to bad buckets: 0
  Packets dropped due to no redirect address: 0
  Packets dropped due to loopback redirect: 0
  Pass-through pkts dropped on assignment update:0
  Connections bypassed due to load: 0
  Packets sent back to router: 50118
  GRE packets sent to router (not bypass): 0
  Packets sent to another WAE: 0
  GRE fragments redirected: 28770
  GRE encapsulated fragments received: 0
  Packets failed encapsulated reassembly: 0
  Packets failed GRE encapsulation: 0
  Packets dropped due to invalid fwd method: 0
  Packets dropped due to insufficient memory: 0
  Packets bypassed, no pending connection: 0
  Packets due to clean wccp shutdown: 0
  Packets bypassed due to bypass-list lookup: 0
  Conditionally Accepted connections: 0
  Conditionally Bypassed connections: 0
  L2 Bypass packets destined for loopback: 0
  Packets w/WCCP GRE received too small: 0
  Packets dropped due to received on loopback: 0
  Packets dropped due to IP access-list deny: 0
  Packets fragmented for bypass: 28770
  Packets fragmented for egress: 0
  Packet pullups needed: 57543
  Packets dropped due to no route found: 0
  Any new idea ?
  Thanks
  Vittorio

• IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

  Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
  no aaa new-model
  ip cef
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
  ip domain name yourdomain.com
  no ipv6 cef
  multilink bundle-name authenticated
  username cisco privilege 15 one-time secret 
  redundancy
  crypto isakmp policy 1
  encr 3des
  hash md5
   authentication pre-share
   group 2
  crypto isakmp key AbCdEf01294 address 99.101.15.99  
  crypto isakmp key AbCdEf01294 address 99.100.14.88 
  crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
  mode transport
  crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
   description Verizon Wireless Tunnel
   set peer 99.101.15.99
   set peer 99.100.14.88
   set transform-set VZW_TSET 
   match address VZW_VPN
  interface Tunnel1
   description GRE Tunnel to Verizon Wireless
   ip address 172.16.200.2 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.101.15.99
  interface Tunnel2
  description GRE Tunnel 2 to Verizon Wireless
   ip address 172.16.200.6 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.100.14.88
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address 10.10.10.1 255.255.255.248
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.11.1 255.255.255.0
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   ip address 22.20.19.18 255.255.255.0
  duplex full
   speed 100
   crypto map VZW_VPNTUNNEL
  router bgp 65505
   bgp log-neighbor-changes
   network 0.0.0.0
   network 192.168.11.0
   neighbor 172.16.200.1 remote-as 6167
   neighbor 172.16.200.5 remote-as 6167
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 0.0.0.0 0.0.0.0 22.20.19.19
  ip access-list extended VZW_VPN
   permit gre host 99.101.15.99 host 22.20.19.18
   permit icmp host 99.101.15.99 host 22.20.19.18
   permit esp host 99.101.15.99 host 22.20.19.18
   permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
   permit gre host 22.20.19.18 host 99.101.15.99
   permit gre host 22.20.19.18 host 99.100.14.88
  access-list 23 permit 10.10.10.0 0.0.0.7
  control-plane
  end
  So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
  ip route 192.168.1.0 255.255.0.0 22.20.19.19
  That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
  Now for a couple of questions for those that are still actually hanging around.
  #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
  #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
  #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
   I actually have alot more questions, but I will keep reading for now.
  I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

  This post is a duplicate of this thread
  https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
  which has a response. I suggest that all discussion of this question be done through the other thread.
  HTH
  Rick

• Join remote computers in a branch office over vpn(GRE)

  Hi
  I have a problem with joining computers located in a branch office described in the following, It would be grateful if anyone help me.
  I have a FG1240B firewall as edge firewall in my network and a FG60C in branch office, these firewalls can see each other with assigned IPs, in the other hand I established a GRE tunnel between them to increase security and making direct site to site connection.
  The tunnel interfaces have it's own IPs. Routes between two LANs are created and computers in branch can see HQ's servers such as DC and Additional DC, it should be noted all services are opened to two side and even branch's computers can resolve records in
  DNS and open https web servers and ... .
  But I face the problem when i want to join computers to domain, after entering the credentials it returned error message as "the network path was not found" . For solving this problem I found that the TCP ports 139 and 445 (that refers to user
  and computer authentication) could not establish connection to DC while all services are open in origin and destination, even DNS service is passed and when I issue the netstat command in branhce's computer, I noticed connection to DC is established in SYN_sent
  step and it couldn't step forward to SYN_ack and SYN_RCVD . it is worth to mention that all these logs information were seen in the branch and there is no join query in the firewall 1240B
  I know this problem should answered in firewall forums but I asked this question here because i hope anyone can help me :-/
  thank you in advance for replying

  Hi,
  You can use a wireshark or network monitor capture to see if any traffic is being blocked/stopped somewhere along the path, when trying to join domain. You do not need WINS. Have you enabled DNS debugging logs on the DC/DNS serversin the hub site and
  watched if the client from branch site reaches the server?
  Regards,
  Calin

• ZBPF IPV6 Problem

  Hello,
  i have a issue with IP Version 6 and Zone-Based-Policy-Firewall.
  this is the setup:
  Router1 (Cisco 1802, IOS 15.1(3)T1, i also tried older IOS):
  Dialer 0 to IPV4 Internet
  Dialer 6 to IPV6 Internet
  Tunnel 0 configured as DMVPN to Router 2
  VLAN 1 as internal Interface with IP 192.168.0.0/24 and 2001:xxxx:xxxx:2::/64
  Router2 (Cisco 1802, IOS 15.1(3)T1, i also tried older IOS):
  Dialer 0 to IPV4 Internet
  Tunnel 0 configured as DMVPN to Router 1
  VLAN 1 as internal Interface with IP 10.0.0.0/24 and 2001:xxxx:xxxx:1::/64
  Router1 connects to IPV6 Internet via Dialer 6
  Router2 connects to IPV6 Internet via Tunnel0 (Dynamic-Multipoint-VPN)
  Router1 and Router2 are configured with Zone-Based-Policy-Firewall.
  When i remove the ZBPF Config from Router1 everything works!
  When i configure ZBPF on Router1 the IPV6 Connection between two Routers works in both directions,
  the Internet Connection IPV6 from Router1 also works great
  but the Internet Connection IPV6 from Router2 doesn't work anymore in the outgoing direction.
  (Tunnel0 and VLAN1 are in the ZONE_BUERO_VLAN1, Dialer0 and Dialer6 are in ZONE_INTERNET)
  zone security ZONE_INTERNET
  zone security ZONE_BUERO_VLAN1
  zone-pair security ZP_BUERO_VLAN1__INTERNET source ZONE_BUERO_VLAN1 destination ZONE_INTERNET
  service-policy type inspect FW_TO_INTERNET
  zone-pair security ZP_INTERNET__BUERO_VLAN1 source ZONE_INTERNET destination ZONE_BUERO_VLAN1
  service-policy type inspect FW_INTERNET__BUERO_VLAN1
  policy-map type inspect FW_TO_INTERNET
  class type inspect FW_GRE
    pass
  class type inspect FW_ESP
    pass
  class type inspect FW_ALLES_ERLAUBT_INSPECT2
    inspect
  class class-default
    drop log
  policy-map type inspect FW_INTERNET__BUERO_VLAN1
  class type inspect FW_GRE
    pass
  class type inspect FW_ESP
    pass
  class type inspect FW_IPV6_ALLES
    drop log
  class class-default
    drop log
  class-map type inspect match-any FW_GRE
  match access-group name FW_GRE
  class-map type inspect match-any FW_ESP
  match access-group name FW_ESP
  class-map type inspect match-any FW_ALLES_ERLAUBT_INSPECT2
  match protocol http
  match protocol https
  match protocol ntp
  match protocol dns
  ip access-list extended FW_GRE
  permit gre any any
  ip access-list extended FW_ESP
  permit esp any any
  ipv6 access-list FW_IPV6_ALLES
  permit ipv6 any any
  permit icmp any any
  permit tcp any any
  permit udp any any
  Debug Messages:  (Seen on Router1)
  Client in VLAN1 Router1 is browsing:   (2001:xxxx:xxxx:2:C8FD:5EFE:523E:FB55)
  - no debug - works -
  Client in VLAN1 Router2 is browsing:   (2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55)
  *May 24 18:38:18.016: %FW-6-DROP_PKT: Dropping tcp session [2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55]:56687 [2A02:2E0:3FE:100::7]:80 on zone-pair ZP_BUERO_VLAN1__INTERNET class class-default due to  DROP action found in policy-map with ip ident 0
  Router1#
  *May 24 18:38:48.465: %FW-6-DROP_PKT: Dropping tcp session [2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55]:56696 [2A02:2E0:3FE:100::7]:80 on zone-pair ZP_BUERO_VLAN1__INTERNET class class-default due to  DROP action found in policy-map with ip ident 0
  Router1#
  *May 24 18:39:21.705: %FW-6-DROP_PKT: Dropping tcp session [2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55]:56747 [2A02:2E0:3FE:100::7]:80 on zone-pair ZP_BUERO_VLAN1__INTERNET class class-default due to  DROP action found in policy-map with ip ident 0
  so can you tell me how this it possible, even if i have the same zone membership of two interfaces it works for traffic from vlan 1 but it is blocked for traffic from tunnel 0???

  Hello,
  @Phillip: Thank you, you're right, that solved my "loosing connection" problems while debugging
  so here are the debugs: (i made only a few of them, because if i enable to much of them i don't get the dropped packets in the debugs)
  Router1#debug policy-firewall events
  Policy-Firewall events debugging is on
  Router1#debug policy-firewall detail
  Policy-Firewall detailed debugging is on
  *Jun  7 22:39:50.481: FIREWALL: FW CCE got packet 0x865A3430 in process path
  *Jun  7 22:39:50.481: FIREWALL: NEW PAK 865A3430 [2001:xxxx:xxxx:1:8076:7A29:ABFB:708E]:52385 [2A02:2E0:3FE:100::7]:80 tcp
  *Jun  7 22:39:50.481: FIREWALL: DROP feature object 0xAAAA000F found
  *Jun  7 22:39:50.481: FIREWALL: FW CCE dropping pak 0x865A3430 in process path
  Router1#debug policy-firewall packet-path
  Policy-Firewall PAK_PATH debugging is on
  packet from tunnel 0:
  *Jun  7 22:43:45.781:  CCE-FW :classify no match (srcaddr:port)-([2001:xxxx:xxxx:1:8076:7A29:ABFB:708E]:0) (dstaddr:port)-([2A02:2E0:3FE:100::7]:0)
  *Jun  7 22:43:45.781:  CCE-FW :ACCESS_GROUP_NAMED:CCE_DP_NAMED_DB_NOT_MATCHED: type_1_filter = 8764B300, acl = FW_ESP vers = 1
  *Jun  7 22:43:45.781:  CCE-FW :classify no match (srcaddr:port)-([2001:xxxx:xxxx:1:8076:7A29:ABFB:708E]:0) (dstaddr:port)-([2A02:2E0:3FE:100::7]:0)
  *Jun  7 22:43:45.781:  CCE-FW :L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:43:45.781:  CCE-FW :L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:43:45.781:  CCE-FW :L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:43:45.781:  CCE-FW :L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:43:45.781:  CCE-FW :classify no match (srcaddr:port)-([2001:xxxx:xxxx:1:8076:7A29:ABFB:708E]:0) (dstaddr:port)-([2A02:2E0:3FE:100::7]:0)
  Router1#
  *Jun  7 22:43:45.781: %FW-6-DROP_PKT: Dropping tcp session [2001:xxxx:xxxx:1:8076:7A29:ABFB:708E]:52403 [2A02:2E0:3FE:100::7]:80 on zone-pair ZP_BUERO_VLAN1__INTERNET class class-default due to  DROP action found in policy-map with ip ident 0
  *Jun  7 22:43:46.221:  CCE-FW*:cce_dp_named_db_inspect_port_to_l7_protocol:L7 protocol is 0 L4 protocol is 0 address is [FE80::215:FAFF:FE0C:A70C] port is 0
  *Jun  7 22:43:46.221:  CCE-FW*:Packet L7 is 9 L4 prot is 0 granular is 0 (srcaddr:port)-([2001:xxxx:xxxx:2:80B6:E54A:A19:6435]:50900) (dstaddr:port)-([FE80::215:FAFF:FE0C:A70C]:22)
  *Jun  7 22:43:46.221:  CCE-FW*:L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:43:46.221:  CCE-FW*:classify no match (srcaddr:port)-([2001:xxxx:xxxx:2:80B6:E54A:A19:6435]:50900) (dstaddr:port)-([FE80::215:FAFF:FE0C:A70C]:22)
  *Jun  7 22:43:46.221:  CCE-FW*:cce_dp_named_db_inspect_classify:packet 85977DC4 is not matched
  packet from vlan1 (works)
  *Jun  7 22:52:16.735:  CCE-FW*:Packet L7 is 9 L4 prot is 0 granular is 0 (srcaddr:port)-([2A02:2E0:3FE:100::7]:50929) (dstaddr:port)-([2001:xxxx:xxxx:2:5800:62D5:A2AE:282C]:80)
  *Jun  7 22:52:16.735:  CCE-FW*:L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:52:16.735:  CCE-FW*:classify no match (srcaddr:port)-([2A02:2E0:3FE:100::7]:50929) (dstaddr:port)-([2001:xxxx:xxxx:2:5800:62D5:A2AE:282C]:80)
  *Jun  7 22:52:16.735:  CCE-FW*:cce_dp_named_db_inspect_classify:packet 856B3D60 is not matched
  *Jun  7 22:52:16.735:  CCE-FW*:cce_dp_named_db_inspect_port_to_l7_protocol:L7 protocol is 0 L4 protocol is 0 address is [FE80::8C8F:658:1A14:661D] port is 0
  *Jun  7 22:52:16.735:  CCE-FW*:Packet L7 is 9 L4 prot is 0 granular is 0 (srcaddr:port)-([FE80::215:FAFF:FE0C:A70C]:50929) (dstaddr:port)-([FE80::8C8F:658:1A14:661D]:80)
  *Jun  7 22:52:16.735:  CCE-FW*:L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:52:16.735:  CCE-FW*:classify no match (srcaddr:port)-([FE80::215:FAFF:FE0C:A70C]:50929) (dstaddr:port)-([FE80::8C8F:658:1A14:661D]:80)
  *Jun  7 22:52:16.735:  CCE-FW*:cce_dp_named_db_inspect_classify:packet 856B420C is not matched
  *Jun  7 22:52:16.739:  CCE-FW*:cce_dp_named_db_inspect_port_to_l7_protocol:L7 protocol is 0 L4 protocol is 0 address is [FE80::215:FAFF:FE0C:A70C] port is 0
  *Jun  7 22:52:16.739:  CCE-FW*:Packet L7 is 9 L4 prot is 0 granular is 0 (srcaddr:port)-([FE80::5800:62D5:A2AE:282C]:50929) (dstaddr:port)-([FE80::215:FAFF:FE0C:A70C]:80)
  *Jun  7 22:52:16.739:  CCE-FW*:L7 protocol match CCE_DP_NAMED_DB_NOT_MATCHED
  *Jun  7 22:52:16.739:  CCE-FW*:classify no match (srcaddr:port)-([FE80::5800:62D5:A2AE:282C]:50929) (dstaddr:port)-([FE80::215:FAFF:FE0C:A70C]:80)
  *Jun  7 22:52:16.739:  CCE-FW*:cce_dp_named_db_inspect_classify:packet 85929DEC is not matched
  *Jun  7 22:52:16.739:  CCE-FW*:cce_dp_named_db_inspect_port_to_l7_protocol:L7 protocol is 0 L4 protocol is 0 address is [FE80::8C8F:658:1A14:661D] port is 0
  Router1#
  *Jun  7 22:52:17.303:  CCE-FW*:ACCESS_GROUP_NAMED:CCE_DP_NAMED_DB_MATCHED: type_1_filter = 8764B300, acl = FW_ESP vers = 0
  *Jun  7 22:52:17.303:  CCE-FW*:Matched acl, user group or insp protocols
  *Jun  7 22:52:17.303:  CCE-FW*:L7 is 9 l7 token prot is 0
  *Jun  7 22:52:17.331:  CCE-FW*:cce_dp_named_db_inspect_port_to_l7_protocol:L7 protocol is 0 L4 protocol is 0 address is 217.92.41.131 port is 0
  debug policy-firewall function-trace
  - no debug output -
  my results are that with "debug policy-firewall packet-path" i can't really see where it matches, but i can see that if the packet comes from tunnel 0 the debug can't see the destination port and therefor cant't match the packet.
  i also tried to implement a rule that allows all traffic, not only http: then it is not dropped any more, but the reverse packet is dropped because the stateful inspection doesn't work for that packet.
  for me it seems to be a bug.....what do you think?